forked from a2o/snoopy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
snoopy.ini
156 lines (138 loc) · 5.49 KB
/
snoopy.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
;;; REQUIRED Section
;
[snoopy]
;;; Log Message Format specification
;
; May consist of:
; - arbitrary text, which is copied to log message as-is,
; - calls to data sources without arguments: %{datasourcename}
; - calls to data sources with argument : %{datasourcename:arg1}
; - calls to data sources with arguments: %{datasourcename:arg1,arg2} <--- if data source supports it
;
; List of data sources:
; - %{cmdline} ; Full command line, with arguments
; - %{cwd} ; Current working directory
; - %{egid} ; Effective gid that executed the command
; - %{egroup} ; Effective group name that executed the command
; - %{env:VAR} ; Environmental variable named 'VAR'
; - %{env_all} ; All environmental varibles, comma separated
; - %{euid} ; Effective uid that executed the command
; - %{eusername} ; Effective username that executed the command
; - %{filename} ; Full path to executable
; - %{gid} ; Group id that executed the command
; - %{group} ; Group name that executed the command
; - %{login} ; Login name (tries getlogin_r() first, then SUDO_USER env variabe, and LOGNAME env as last resort)
; - %{ppid} ; Parent process ID of process that executed the command
; - %{pid} ; ID of process that executed the command
; - %{rpname} ; Root process name of process that executed the command
; - %{sid} ; Process id of session group process leader
; - %{snoopy_version} ; Snoopy version
; - %{tty} ; Which TTY the command was run on
; - %{tty_uid} ; TTY uid
; - %{tty_username} ; TTY username
; - %{uid} ; User id that executed the command
; - %{username} ; Username that executed the command
;
; Default value:
; "[uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"
;
; Example:
;message_format = "useless static log entry that gets logged on every program execution"
;message_format = "[uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"
;;; Filter Chain specification
;
; Example definitions:
; - filter_chain = "exclude_uid:0" # Log all commands, except the ones executed by root
; - filter_chain = "exclude_uid:1,2,3" # Log all commands, except those executed by users with UIDs 1, 2 and 3
; - filter_chain = "only_uid:0" # Log only root commands
; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
;
; Here you have four filter definitions for your reference, they are
; quite self-explanatory. As you probably noted in the last example,
; multiple filters may be defined in a chain, separated by semicolon.
;
; Each filter chains can contain multiple filter definitions. They are
; processed in order of appearance. If any of the filters decides the
; message should be dropped, the filter chain processing is immediately
; interrupted and message is not passed to syslog.
;
; If filter requires an argument, they may be passed to them by
; specifying a colon after filter name, followed by an argument.
; Argument is passed to the filter as-is. If passing of multiple
; arguments to filter is required, they are passed as single string
; and must be parsed/tokenized by the filter itself (see "only_uid"
; filter for example).
;
; Filter chain specification may not contain any spaces.
; (Acutally spaces are allowed in arguments, but not in filter names
; and between semicolons and filter names, nor between filter names
; and following colons.)
;
; Default value:
; "" (empty string)
;
; Examples:
;filter_chain = ""
;filter_chain = "only_uid:0"
;filter_chain = "only_uid:10000"
;filter_chain = "exclude_uid:0"
;;; Output
;
; Where messages get sent to
;
; Possible options:
; - devlog ; default
; - syslog ; previuosly-default (WARNING: DO NOT USE syslog VALUE WITH systemd - IT WILL HANG YOUR SYSTEM ON BOOT)
;
; Options pending implementation (patches welcome!):
; - console ; TODO
; - file:/absolute/path/to/file ; TODO (missing path configuration too)
; - journald ; TODO
; - socket:/absolute/path/to/socket ; TODO (missing path configuration too)
;
; Default value:
; devlog
; (previously 'syslog' was default value, but due to systemd issues default was changed)
; (to raw device writing as syslogd blocks syslog() calls if journald is not running)
;
; Example:
;output = console
;;; Error Logging
;
; Whether to log error messages or not.
; This should generally be disabled, as it may generate lots of error logs.
;
; The most appropriate usage of this parameter is when:
; - you are developing new data source
; - you are trying to configure message format and are having problems with it
;
; Default value:
; no (unless changed by ./configure --enable-error-logging to yes)
;
; Example:
;error_logging = yes
;;; Syslog Facility
;
; What syslog facility to use. Can be prefixed with 'LOG_'.
;
; Possible values:
; One of AUTH|AUTHPRIV|CRON|DAEMON|FTP|KERN|LOCAL[0-7]|LPR|MAIL|NEWS|SYSLOG|USER|UUCP
;
; Default value:
; LOG_AUTHPRIV (unless changed by ./configure --with-syslog-facility=FACILITY)
;
; Example:
;syslog_facility = LOG_AUTHPRIV
;;; Syslog Level
;
; What syslog level to use. Can be prefixed with 'LOG_'.
;
; Possible values:
; One of EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG
;
; Default value:
; LOG_INFO (unless changed by ./configure --with-syslog-level=LEVEL)
;
; Example:
;syslog_level = LOG_INFO